Operation of the Information System Security Management and Assessment Program (ISMAP) Starts

1. Background and purpose

The government of Japan stipulated a Cloud Adoption Policy for Government Information Systems in June 2018 (decided by the Liaison Committee of the Chief Information Officers [CIO] of each Ministry and Office on June 7, 2018) and upheld a Cloud-by-Default Principle as a basic policy. On the other hand, the necessity for discussions on the safety assessment of cloud services was stated in the Strategy for Investments for the Future 2018 (decided by the Cabinet on June 15, 2018) and the Cybersecurity Strategy (decided by the Cabinet on July 27, 2018).

Following this, the Study Group on Security Assessment of Cloud Services was held from August 2018 to December 2019, with METI and MIC serving as the secretariat, and a report was compiled in January 2020 following the collection of public comments.

Based on such Cabinet dicision, the Outline of the Basic Framework for the Security Assessment System for Cloud Services Introduced into Government Information Systems (decided by the Cybersecurity Strategy Headquarters on January 30, 2020) decided ISMAP’s (i) basic framework, (ii) concept on utilization among different governmental organizations and other bodies, and (iii) administrative jurisdiction and operation.

In response to the basic framework, on May 25, 2020, the Cabinet Secretariat, MIC and METI inaugurated an ISMAP Operation Committee, the highest decision-making body for ISMAP, which consists of: experts and representatives of the ministries and agencies with administrative jurisdiction over ISMAP, i.e., the Cabinet Secretariat (National Center of Incident readiness and Strategy for Cybersecurity/Information and Communications Technologies [IT] Comprehensive Strategy Office), MIC, and METI, as members. Following this, on May 26, 2020, the ISMAP Operation Committee held its first meeting and decided on a variety of rules and regulations for ISMAP. In response, the operation of ISMAP started.

Together with this, METI hereby releases the results of the call for public comments concerning the “Criteria on Security Assessment System (ISMAP) for Government Information Systems Draft Report,” which started on March 27, 2020, as an effort prior to starting the operation of ISMAP.

2. Outline of ISMAP

ISMAP is a program in which an applicant cloud service should be confirmed if it provides security measures that satisfy the criteria stipulated under ISMAP, which is determined in accordance with the predetermined assessment processes taking advantage of the framework of information security auditing, and then, if confirmed, the service is to be registered on the list of certified cloud services, which is released under ISMAP.

Moreover, in the program, an applicant auditing organization, which is a body entitled to audit the information security of applicants under ISMAP, should be confirmed if it satisfies the requirements for auditing organizations, which are predetermined under ISMAP, and if confirmed, the organization is to be registered on the list of certified auditing organizations, which is released under ISMAP.

ISMAP is expected to allow governmental organizations and other bodies to efficiently procure cloud services about which provision of a certain level of information security measures has been confirmed.

3. Results of the call

• Results of the call for public comments concerning the “Criteria on Security Assessment System (ISMAP) for Government Information Systems Draft Report” (see the Appendix) (in Japanese)

4. Related materials

For the outline, a variety of rules and regulations and other details of the newly determined ISMAP, visit the webpage exclusively for the program on the IPA website.

• Official ISMAP website (in Japanese)
• Basic Policies for the Information System Security Management and Assessment Program (ISMAP) Operation Committee (in Japanese)

5. Reference

• Outline of the Basic Framework for the Security Assessment System for Cloud Services Introduced into Government Information Systems (decided by the Cybersecurity Strategy Headquarters on January 30, 2020) (in Japanese)

Division in Charge

Information Economy Division, Commerce and Information Policy Bureau, METI